The Impact of the EU GDPR on Accountants

The Impact of the EU GDPR on Accountants

The working life of an accountant involves daily interaction with vast amounts of sensitive data. As the introduction of the EU GDPR edges closer, it is time to talk about the impact it will have on an accountant’s day-to-day work life.

Replacing the Data Protection Directive of 1995, and designed to protect against cyber disruptions and attacks, this new Regulation will be instrumental in ensuring personal data is protected properly. Accountants who are not up to speed with the EU GDPR by its introduction in early 2018 will run a serious risk of breaching the law.

8 from 10 accountants are not aware of about EU GDPR.

We wanted to ascertain what knowledge is already out there, and 8 from 10 accountants* we asked didn’t know about the impact of EU GDPR on accountants. We also asked a Dublin-based Accountant to find out how prepared she is for the EU GPDR. Here is what she had to say:

Are you aware of the EU General Data Protection Regulation coming into effect in early 2018?

No

As far as you know, can a client request deletion of personal data they have previously shared with you?

I think this would depend on what the data was and why the deletion was requested. I think for regulatory purposes (mostly from a revenue perspective) firms are expected to keep all records of work done for a period of time (which would include invoicing information i.e. address etc). So it definitely isn’t as simple as just delete!

Do you currently inform consumers of any data breaches impacting their personal information?

Situations like that don’t arise for me as in my last 3 jobs (all corporate) the consumers are all large corporations so the dynamic / rules are different. I do think back to my audit days you were obliged to disclose if there were any breaches

Do you clearly explain to customers/clients the reason/s why their data is being asked for?

Yes – there would always be a full explanation given (usually for billing purposes)

How do you usually delete data?

I wouldn’t, everywhere I worked has had an IT department. To be honest, at the moment I have a laptop, desktop, ipad and iphone all for work and could at any given time have data on all of them that as far as I am aware gets saved into the cloud. I have no idea how IT manage cloud access and deletion.

Who, besides yourself, manages the data and documents you receive?

I manage the data myself unless as discussed below it is put on a shared drive

Who, besides yourself, has access to the data and documents you receive?

Emails wise, if it comes to just me only I have access (and likely IT) but most of the data I would receive is shared in the company shared drive so once you are past a certain clearance level you would be able to access it.

Do you have a legal obligation to allow customers and clients track their personal data that you hold?

Not sure if it is legal, but within each service level agreement we would have they would be allowed access to a track of this if they so wished!

Gaps in knowledge

Clearly, there are areas where a lack of knowledge exists and these coincide with areas where the new legislation is going to impact the role of an accountant. As well as being aware of the terms of this new Regulation, accountants should take measures to ensure adherence is as easy as possible.

It is important to remember that although companies can ensure encryption of all information sent via their servers, they cannot account for those documents when they are opened on another device (personal laptop, iPhone, iPad). Sharing data through an encrypted app is secure.

So, what can you do?

Firstly, when it comes to providing clear notice to customers on the reasons for requesting data, terms and conditions can be included in each data request made via PlanetVerify and these must be accepted before the data can be stored.

Under the EU GDPR, all data breaches must be shared with affected parties. With PlanetVerify, the likelihood of a breach is diminished by the existence of the “2 factor authentication”, meaning that even if a fraudster manages to hack a password, they will be prevented from logging on as they will also be asked for a code which only exists on the user’s device. This eliminates the risk of remote hacking which is how most fraudsters operate.

Ensure that your business is prepared for this change and that you are armed to deal with inevitable cyber security threats and the growth in sophisticated and impactful hacking techniques. This is unprecedented territory; the digital revolution gains speed every day and with it come issues and risks – ask the right questions of yourself and your staff and see how those gaps in knowledge run parallel with what will soon be required of you.

The EU GDPR gives customers the right to ask companies holding their data to erase it upon request. In turn, PlanetVerify provides a one-click option for customers to request deletion of data and will also send notification to the customer when this is done.

With PlanetVerify, data is sent through secure channels and stored securely in one place – documents do not exist as email attachments, susceptible to hackers and constant virus threats. You are protecting the data you collect in one easy step.

Call us today so you don’t need to pay a fine tomorrow.

Click here to find out how PlanetVerify allows companies to obtain personal data directly and securely from their customers instantly and in a transparent way. Download the App or browse the PlanetVerify website to explore this advanced document gathering and verification process created with your data security in mind.

Comments (2)

You say – “The EU GDPR gives customers the right to ask companies holding their data to erase it upon request”
I ask – from the accountants point of view, the financial data is needed to be there for at least several years for UK HMRC TAX purposes, would that not be a breach of TAX regulation if we deleted all the information about the customer?

Great question. The legislation gives customers the right to ‘request’ data erasure – in this instance your response to the customer would be that their data would be deleted on X date in the future in line with your own retention rules.